Use After Free in Linux kernel - CVE-2026-23306
Published: March 25, 2026
Vulnerability identifier: #VU124555
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23306
CWE-ID: CWE-416
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to execute arbitrary code and escalate privileges.
The vulnerability exists due to a use-after-free in the pm8001_queue_command() function in the SCSI subsystem when handling SCSI commands during a phy down or device gone state. A local user can trigger a double free by issuing a command that leads to the erroneous return of -ENODEV after the task has already been freed, resulting in memory corruption that could lead to arbitrary code execution or privilege escalation.
The vulnerability specifically affects the pm8001 SAS controller driver and requires the ability to issue SCSI commands, which is typically available to local users with access to storage devices.
How to mitigate CVE-2026-23306
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/227ff4af00abc40b95123cc27ee8079069dcd8d7
- https://git.kernel.org/stable/c/38353c26db28efd984f51d426eac2396d299cca7
- https://git.kernel.org/stable/c/824a7672e3540962d5c77d4c6666254d7aa6f0b3
- https://git.kernel.org/stable/c/8b00427317ba7b7ec91252b034009f638d0f311b
- https://git.kernel.org/stable/c/c5dc39f8ae055520fd778b7fb0423f11586f15c4
- https://git.kernel.org/stable/c/ebbb852ffbc952b95ddb7e3872b67b3e74c6da47